b'Office of Audits and Evaluations\nReport No. AUD-14-007\n\n\nThe FDIC\xe2\x80\x99s Purchase Card Program\n\n\n\n\n                                   March 2014\n\x0c                                  Executive Summary\n\n                                  The FDIC\xe2\x80\x99s Purchase Card Program\n\n                                                                                  Report No. AUD-14-007\n                                                                                             March 2014\n\nWhy We Did The Audit\nThe Government Charge Card Abuse Prevention Act of 2012, while not applicable to the FDIC, requires\nexecutive agencies that issue and use purchase cards (P-Cards) and convenience checks to establish and\nmaintain appropriate safeguards and internal controls over those forms of payment. The statute also\nrequires Inspectors General covered by the Act to conduct periodic risk assessments and audits of agency\nP-Card and convenience check programs. Consistent with the spirit of the Act, we conducted an audit of\nthe FDIC\xe2\x80\x99s P-Card Program.\n\nThe objective of this performance audit was to determine the effectiveness of internal controls intended to\nminimize improper transactions executed under the P-Card Program. For purposes of the audit, we\nconsidered a transaction to be improper if it did not comply with FDIC policy, procedures, or guidelines.\nThe FDIC Office of Inspector General engaged the independent firm of Reed & Associates, CPAs, Inc.,\nto provide technical assistance during the audit.\n\nBackground\nThe FDIC participates in the government-wide charge card program known as the General Services\nAdministration (GSA) SmartPay 2 Program. Under the program, GSA manages a set of master contracts\nwith major U.S. financial institutions through which agencies and organizations may obtain charge card\nservices to accomplish their mission. In 2008, the FDIC entered into a 10-year contract under the\nprogram with U.S. Bank National Association (U.S. Bank). The contract authorizes U.S. Bank to issue P-\nCards to designated FDIC employees and to bill the FDIC for cardholder purchases. The contract also\nprovides for the use of convenience checks in order to accommodate purchases from vendors who do not\naccept P-Cards.\n\nWithin the FDIC, the Division of Administration (DOA) has overall responsibility for administering the\nP-Card Program. Key roles in the program include an Agency Program Coordinator who is responsible\nfor the day-to-day administrative oversight of the P-Card Program, Division/Office Coordinators who\nserve as liaisons with DOA and oversee their division\xe2\x80\x99s or office\xe2\x80\x99s compliance with the program, and\nApproving Officials who are responsible for monitoring cardholders, reviewing and approving purchases\nand charges, and ensuring that charges are adequately supported.\n\nThe Office of Management and Budget, the Government Accountability Office, GSA, and other federal\nagencies have published requirements and suggested best practices (referred to herein as recognized best\npractices) for government charge card programs. Although the FDIC is generally not subject to these\nrecognized best practices, they do define prudent concepts and business practices that can reduce the risk\nof fraud, waste, and error in charge card programs.\n\nAudit Results\nThe FDIC established a number of internal controls intended to minimize the risk of improper\ntransactions under the P-Card Program that were generally consistent with recognized best practices.\nSuch controls include written policies and procedures governing the use of P-Cards and convenience\nchecks, mandatory training for cardholders and Approving Officials, and various risk management\ncontrols, such as periodic internal reviews and reconciliations of cardholder statements. Further, the\n                                                     i\n                               To view the full report, go to www.fdicig.gov\n\x0c  Executive Summary                  The FDIC\xe2\x80\x99s Purchase Card Program\n\n                                                                                     Report No. AUD-14-007\n                                                                                                March 2014\n\nFDIC\xe2\x80\x99s card service provider\xe2\x80\x94U.S. Bank\xe2\x80\x94implemented certain controls to prevent and detect improper\ntransactions. While these controls address many recognized best practices, we found that the FDIC could\nimprove the effectiveness of its P-Card Program controls by:\n\n    \xe2\x80\xa2   making greater use of transaction data to detect patterns, trends, and anomalies that may be\n        indicative of potential fraud or misuse;\n\n    \xe2\x80\xa2   performing periodic, program-level reviews of cardholder purchase limits to ensure they remain\n        appropriate and monitoring convenience check transactions for compliance with established\n        purchase limits;\n\n    \xe2\x80\xa2   conducting periodic, program-level assessments of the reasonableness of the ratio of Approving\n        Officials to cardholders and the volume of transactions that Approving officials are responsible\n        for reviewing;\n\n    \xe2\x80\xa2   ensuring that cardholder accounts are disabled in a timely manner when cardholders leave the\n        FDIC;\n\n    \xe2\x80\xa2   prohibiting cardholders from using the P-Card to purchase non-monetary awards on their own\n        behalf; and\n\n    \xe2\x80\xa2   reviewing and clarifying, as appropriate, the role and responsibilities of the Division/Office\n        Coordinator.\n\nWe reviewed a non-statistical sample of 150 P-Card transactions processed between April 1, 2011, and\nDecember 31, 2012, to determine whether they complied with FDIC policies, procedures, and guidelines.\nNon-statistical samples are judgmental and cannot be projected to the population of transactions. We\nfound that all of the transactions had been approved by an Approving Official. However, we did note\nsome form of noncompliance for 26 of the transactions. Most instances of noncompliance involved\ncardholders not retaining receipts to support purchases. We referred these 26 transactions to appropriate\nFDIC management officials for follow-up action. Our review of P-Card transactions also identified a\nwide range of items that were purchased using the Internet as non-monetary awards for employees.\nAlthough such purchases are not prohibited by FDIC policy, using the P-Card to purchase non-monetary\nawards that are of a personal nature presents a reputational risk to the FDIC. The FDIC should consider\nthis risk and clarify its P-Card and non-monetary awards policy, as appropriate.\n\nRecommendations and Corporation Comments\nOur report contains eight recommendations addressed to the Director, DOA, that are intended to\nstrengthen internal controls related to the P-Card Program. The Director, DOA, provided a written\nresponse, dated March 26, 2014, to a draft of this report. In the response, the Director concurred with all\neight of the report\xe2\x80\x99s recommendations and described ongoing and planned actions that address the\nrecommendations.\n\n\n\n                                                     ii\n                                To view the full report, go to www.fdicig.gov\n\x0c                                 Contents\n\n                                                                Page\nBackground                                                        2\n\nResults of Audit                                                  4\n\nAlignment of P-Card Program Controls to Recognized Best           5\nPractices\n\nReview of Selected P-Card Transactions                           11\n\nCorporation Comments and OIG Evaluation                          12\n\nAppendices\n   1. Objective, Scope, and Methodology                          13\n   2. Glossary of Terms                                          17\n   3. Acronyms and Abbreviations                                 18\n   4. Corporation Comments                                       19\n   5. Summary of the Corporation\xe2\x80\x99s Corrective Actions            26\n\nTables\n    1. Selected P-Card Program Statistics for the Years Ended     3\n       2008-2012\n    2. Assessment of P-Card Program Controls                      6\n\x0cFederal Deposit Insurance Corporation                                             Office of Audits and Evaluations\n3501 Fairfax Drive, Arlington, Virginia 22226                                          Office of Inspector General\n\nDATE:                                       March 31, 2014\n\nMEMORANDUM TO:                              Arleas Upton Kea, Director\n                                            Division of Administration\n\n\n                                            /Signed/\nFROM:                                       Stephen M. Beard\n                                            Deputy Inspector General for Audits and Evaluations\n\nSUBJECT:                                    The FDIC\xe2\x80\x99s Purchase Card Program\n                                            (Report No. AUD-14-007)\n\n\nThis report presents the results of our audit of the FDIC\xe2\x80\x99s Purchase Card (P-Card)\nProgram. The Government Charge Card Abuse Prevention Act of 2012, while not\napplicable to the FDIC, requires executive agencies that issue and use P-Cards and\nconvenience checks to establish and maintain appropriate safeguards and internal controls\nover those forms of payment. 1 The statute also requires Inspectors General covered by\nthe Act to conduct periodic risk assessments and audits of agency P-Card and\nconvenience check programs. Consistent with the spirit of the Act, we conducted an\naudit of the FDIC\xe2\x80\x99s P-Card Program. 2\n\nThe audit objective was to determine the effectiveness of internal controls intended to\nminimize improper transactions executed under the P-Card Program. For purposes of the\naudit, we considered a transaction to be improper if it did not comply with FDIC policy,\nprocedures, or guidelines. To address our objective, we compared the FDIC\xe2\x80\x99s P-Card\nProgram controls to government-wide requirements and recognized best practices and\nreviewed a non-statistical sample of P-Card and convenience check transactions for\ncompliance with the FDIC policies, procedures, and guidelines. 3 We also spoke with\nofficials in the Division of Administration (DOA) and other divisions and offices who\nhad responsibility for administering and implementing the P-Card Program.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Appendix 1 of this report includes additional details about our\nobjective, scope, and methodology; Appendix 2 contains a glossary of key terms;\nAppendix 3 contains a list of acronyms and abbreviations; Appendix 4 contains the\nCorporation\xe2\x80\x99s comments on this report; and Appendix 5 contains a summary of the\nCorporation\xe2\x80\x99s corrective actions.\n\n\n1\n  Terms that are underlined when first used in this report are defined in Appendix 2, Glossary of Terms.\n2\n  The FDIC\xe2\x80\x99s P-Card Program includes both P-Cards and convenience checks.\n3\n  A non-statistical sample is judgmental and cannot be projected to the population. See Appendix 1 for\ndetails regarding our sampling methodology.\n\x0cBackground\nThe FDIC participates in the government-wide charge card program known as the\nGeneral Services Administration (GSA) SmartPay 2 Program. The program provides\nagencies and other organizations with a low-cost, efficient vehicle for obtaining goods\nand services directly from vendors. Under the SmartPay 2 Program, GSA manages a set\nof master contracts with major U.S. financial institutions through which agencies and\norganizations may obtain charge card services to accomplish their mission. In 2008, the\nFDIC entered into a 10-year contract under the program with U.S. Bank National\nAssociation (U.S. Bank). The contract authorizes U.S. Bank to issue P-Cards to\ndesignated FDIC employees and to bill the FDIC for cardholder purchases. The contract\nalso provides for the use of convenience checks in order to accommodate purchases from\nvendors who do not accept P-Cards. However, the use of convenience checks is\nconsidered to be the least preferred means of paying for goods and services and should\nonly be used when the P-Card is not accepted.\n\nThe FDIC Purchase Card Guide (P-Card Guide) defines the FDIC\xe2\x80\x99s P-Card Program\npolicies, procedures, processes, and guidelines, as well as the roles and responsibilities of\nkey program participants. 4 According to the P-Card Guide, DOA\xe2\x80\x99s Acquisition Services\nBranch (ASB), Policy and Systems Section, has overall responsibility for administering\nthe P-Card Program. Other key roles and responsibilities defined in the P-Card Guide,\ninclude, but are not limited to, the following:\n\n    \xe2\x80\xa2   Agency Program Coordinator (APC). An ASB official with day-to-day\n        administrative responsibility for operating the P-Card Program, providing\n        guidance to program participants, and serving as the FDIC\xe2\x80\x99s primary liaison with\n        U.S. Bank and GSA.\n\n    \xe2\x80\xa2   Division/Office Coordinators (D/OC). Officials appointed by each participating\n        division or office to serve as a liaison with ASB. Among other things, D/OCs are\n        responsible for ensuring that ASB has a current list of cardholders and Approving\n        Officials (AO) and that cardholders and AOs verify and approve transactions each\n        month and receive appropriate training. D/OCs are also responsible for\n        requesting the establishment and cancellation of cardholder accounts and\n        requesting revised purchase limits, as appropriate.\n\n    \xe2\x80\xa2   Approving Officials. Division or office officials responsible for monitoring\n        cardholder compliance with regulations and procedures. Among other things,\n        AOs are responsible for reviewing and approving purchases and charges and\n        ensuring that charges are supported with vendor receipts or other evidence of the\n        receipt of goods or services (collectively referred to herein as transaction\n        documentation).\n\n4\n  The P-Card Guide, dated August 2008, is an appendix to the Procedures, Guidance, and Information\n(PGI) document, which accompanies the FDIC Acquisition Policy Manual (APM). The APM establishes\nthe FDIC\xe2\x80\x99s policy for procuring goods and services from the private sector. The PGI document contains\nprocedures for implementing the APM.\n\n                                                   2\n\x0c      \xe2\x80\xa2   Cardholders. FDIC employees designated by an AO or D/OC and appointed by\n          the DOA Assistant Director, Policy and Systems Section, or the APC.\n          Cardholders are responsible for using the P-Card (and convenience checks if they\n          have been delegated authority to use that form of payment) to purchase goods and\n          services for official use only and for complying with the P-Card Guide and any\n          restrictions in their Cardholder Appointment Memorandum.\n\nDOA\xe2\x80\x99s homepage on the FDIC\xe2\x80\x99s internal network also contains information about the\nP-Card Program, such as procedures for obtaining P-Card accounts, reconciling\ncardholder statements with the FDIC\xe2\x80\x99s accounting system known as the New Financial\nEnvironment (NFE), approving cardholder purchases, and obtaining training.\n\nP-Card Usage at the FDIC\n\nP-Cards are the FDIC\xe2\x80\x99s preferred method for purchasing and paying for goods and\nservices valued at $5,000 or less. P-Cards may also be used to acquire commercially\navailable goods and services valued above $5,000, provided that the cardholder complies\nwith the P-Card Guide and appropriate sections of the APM and PGI document. 5 In\naddition, P-Cards may be used for recurring purchases provided that the cumulative total\nof any recurring requirement does not exceed $100,000 in a 12-month period.\n\nTable 1 contains selected statistics pertaining to the FDIC\xe2\x80\x99s P-Card Program for the\ncalendar years ended December 31, 2008 through 2012. As shown in the table, the\nnumber of cardholder accounts and P-Card transactions peaked in 2010 during the\nfinancial crisis and has declined gradually since that time.\n\nTable 1: Selected P-Card Program Statistics for the Years Ended 2008-2012\n    Program Statistic          2012             2011            2010             2009            2008\n    Number of                   571              648             742              617             492\n    Cardholder Accounts\n    Number of P-Card          21,138           26,836          27,865           25,715          18,964\n    Transactions\n    Number of                  1,317           1,705            1,940           2,112            1,354\n    Convenience Check\n    Transactions\n    Total Purchase         $23,332,018      $30,226,751     $33,303,154      $30,097,438     $21,775,183\n    Amounts\nSource: Office of Inspector General (OIG) analysis of data provided by DOA for 2008 and U.S. Bank for\n2009-2012.\n\nGovernment-wide Requirements and Best Practices\n\nThe Office of Management and Budget\xe2\x80\x99s (OMB) Circular No. A-123, Management\xe2\x80\x99s\nResponsibility for Internal Control, Appendix B Revised, Improving the Management of\nGovernment Charge Card Programs, (OMB A-123, Appendix B) dated January 15,\n2009, defines minimum requirements and suggested best practices for government charge\n\n5\n  The FDIC has independent procurement authority under the Federal Deposit Insurance Act and, therefore,\nis not required to follow the Federal Acquisition Regulation.\n\n                                                    3\n\x0ccard programs. Although the FDIC is not subject to OMB A-123, Appendix B, it defines\nprudent concepts and business practices that can reduce the risk of fraud and misuse in\ncharge card programs. Among other things, the appendix states that charge card\nprograms should include:\n\n   \xe2\x80\xa2   written policies and procedures for the appropriate use of charge cards;\n\n   \xe2\x80\xa2   mandatory training for cardholders and other program participants;\n\n   \xe2\x80\xa2   risk management controls, such as reviews of cardholder statements and\n       transaction documentation, separation of duties for key functions, and reviews of\n       available data (including the use of data mining, if available) to detect instances of\n       fraud and misuse;\n\n   \xe2\x80\xa2   periodic reviews of controls to evaluate their effectiveness; and\n\n   \xe2\x80\xa2   controls to mitigate the use of convenience checks.\n\nGSA, the Government Accountability Office (GAO), and other federal agencies have\nalso published best practices related to government charge card programs. For purposes\nof this report, we refer to these best practices and OMB A-123, Appendix B, as\nrecognized best practices.\n\n\nResults of Audit\nThe FDIC established a number of internal controls intended to minimize the risk of\nimproper transactions under the P-Card Program that were generally consistent with\nrecognized best practices. Such controls include written policies and procedures\ngoverning the use of P-Cards and convenience checks, mandatory training for\ncardholders and AOs, and various risk management controls, such as periodic internal\nreviews and reconciliations of cardholder statements. Further, the FDIC\xe2\x80\x99s card service\nprovider\xe2\x80\x94U.S. Bank\xe2\x80\x94implemented certain controls to prevent and detect improper\ntransactions. While these controls address many recognized best practices, we found that\nthe FDIC could improve the effectiveness of its P-Card Program controls by:\n\n   \xe2\x80\xa2   making greater use of transaction data to detect patterns, trends, and anomalies\n       that may be indicative of potential fraud or misuse;\n\n   \xe2\x80\xa2   performing periodic, program-level reviews of cardholder purchase limits to\n       ensure they remain appropriate and monitoring convenience check transactions\n       for compliance with established purchase limits;\n\n\n\n\n                                             4\n\x0c       \xe2\x80\xa2   conducting periodic, program-level assessments of the reasonableness of the ratio\n           of AOs to cardholders and the volume of transactions that AOs are responsible for\n           reviewing;\n\n       \xe2\x80\xa2   ensuring that cardholder accounts are disabled in a timely manner when\n           cardholders leave the FDIC;\n\n       \xe2\x80\xa2   prohibiting cardholders from using the P-Card to purchase non-monetary awards\n           on their own behalf; and\n\n       \xe2\x80\xa2   reviewing and clarifying, as appropriate, the role and responsibilities of the D/OC.\n\nWe reviewed a non-statistical sample of 150 P-Card transactions processed between\nApril 1, 2011, and December 31, 2012, to determine whether they complied with FDIC\npolicies, procedures, and guidelines. We found that all of the transactions had been\napproved by an AO. However, we did note some form of noncompliance for 26 of the\ntransactions. Most instances of noncompliance involved cardholders not retaining\nreceipts to support purchases. We referred these 26 transactions to appropriate FDIC\nmanagement officials for follow-up action. Our review of P-Card transactions also\nidentified a wide range of items that were purchased using the Internet as non-monetary\nawards for employees. Although such purchases are not prohibited by FDIC policy,\nusing the P-Card to purchase non-monetary awards that are of a personal nature presents\na reputational risk to the FDIC. The FDIC should consider this risk and clarify its P-Card\nand non-monetary awards policy, as appropriate.\n\nAlignment of P-Card Program Controls to Recognized Best Practices\n\nWe reviewed the FDIC\xe2\x80\x99s P-Card Program controls to assess the extent to which they\naligned with 11 recognized best practices for mitigating the risk of fraud and misuse. We\nidentified the 11 best practices based on our review of relevant P-Card-related statutes,\npolicies, procedures, guidance, and reports. 6 Overall, we determined that the\nestablishment and implementation of the FDIC\xe2\x80\x99s P-Card Program controls generally\naligned with the best practices that we selected for review. However, we did note\nexceptions. Table 2 on the following page summarizes the results of our assessment. A\ndetailed description of each exception that we noted follows the table.\n\n\n\n\n6\n    See Appendix I for the statutes, policies, procedures, guidance, and reports that we reviewed.\n\n                                                        5\n\x0cTable 2: Assessment of P-Card Program Controls\n           Controls Intended to Mitigate the Risk of                      Addressed in        Implemented?\n                      Fraud and Misuse                                      Policies,\n                                                                         Procedures, or\n                                                                          Guidelines?\n Reviews available transaction data (using automated                             N                   P\n techniques, such as data mining) to detect fraud and misuse\n Sets reasonable cardholder purchase limits                                      \xe2\x88\x9a                   P\n\n Reviews cardholder purchases                                                    \xe2\x88\x9a                    \xe2\x88\x9a\n\n Blocks merchant category codes                                                  \xe2\x88\x9a                    \xe2\x88\x9a\n\n Conducts annual reviews of the number of AOs to                                 N                   P\n cardholders, cardholder limits, and transactions\n\n Reconciles accounts and certification of services                               \xe2\x88\x9a                    \xe2\x88\x9a\n\n Defines criteria for deactivating/cancelling cardholder                         \xe2\x88\x9a                   P\n accounts\n Takes disciplinary action against individuals who abuse their                   \xe2\x88\x9a                    \xe2\x88\x9a\n accounts or otherwise engage in potentially fraudulent\n activity\n Ensures appropriate separation of duties for key functions                      \xe2\x88\x9a                   P\n\n Identifies key program officials and their responsibilities                     \xe2\x88\x9a                   P\n\n\n Defines and requires training for program participants                          \xe2\x88\x9a                    \xe2\x88\x9a\n\nSource: OIG analysis of 11 recognized best practices, the FDIC\xe2\x80\x99s P-Card Program policies, procedures,\nand guidelines, and the results of selected control assessments.\n\xe2\x88\x9a - Indicates that the control was addressed in policies, procedures, or guidelines and/or was implemented.\nP- Indicates that the control was partially addressed in policies, procedures, or guidelines and/or was\npartially implemented.\nN \xe2\x80\x93 Indicates that the control was not addressed in policies, procedures, or guidance and/or was not\nimplemented.\n\nReview of Available Data to Detect Fraud and Misuse. Each month, U.S. Bank\nprovides the FDIC with a file containing basic P-Card and convenience check transaction\ndata, such as merchant names and locations, transaction amounts, and transaction dates.\nThe file is uploaded to NFE, and cardholders and AOs log into NFE to review and\napprove their transactions. U.S. Bank also maintains, but does not routinely provide,\nmore detailed data for some of the FDIC\xe2\x80\x99s P-Card transactions. This more detailed\ndata\xe2\x80\x94commonly referred to as Level III line item detail\xe2\x80\x94includes item descriptions and\nquantities. In addition, U.S. Bank offers its customers a payment analytics tool that can\nanalyze transaction data and generate a wide variety of standard and custom reports. The\ntool uses defined parameters to flag suspicious transactions and violations and can\ncorrelate seemingly unrelated events that may represent a risk. The use of automated\n\n                                                     6\n\x0ctechniques, such as the payment analytics tool, to analyze detailed transaction data for\npatterns, trends, and anomalies that may be indicative of fraud or misuse is a recognized\nbest practice.\n\nWe found that the APC and one other DOA employee reviewed 4 of 25 standard payment\nanalytics reports offered by U.S. Bank. 7 In addition, DOA and several other divisions\nhave performed various internal reviews of their P-Card and convenience check usage in\nrecent years and reported the results to their division\xe2\x80\x99s management. However, the\nFDIC\xe2\x80\x99s P-Card policies, procedures, and guidelines do not provide for an ongoing\nprogram-level review of detailed transaction data maintained by U.S. Bank for patterns,\ntrends, or anomalies that may indicate potential fraud or misuse. Our review of U.S.\nBank\xe2\x80\x99s payment analytics tool and related reports found that they could be better\nleveraged by DOA in its efforts to identify potential fraud, misuse, or noncompliance\nwith FDIC policies, procedures, or guidelines. Doing so would help mitigate risk in the\nP-Card Program.\n\nCardholder Purchase Limits. GSA\xe2\x80\x99s publication, entitled Managing GSA SmartPay\nPurchase Card Use, a Plan for Success, states that organizations should set realistic, but\nnot excessive, purchase limits as a means of deterring cardholder misuse. In addition,\nGAO\xe2\x80\x99s November 2003 audit guide, entitled Auditing and Investigating the Internal\nControl of Government Purchase Card Programs, states that purchase limits directly\naffect the extent of potential loss to an organization from fraudulent, improper, and\nabusive purchases. Further, periodic reviews of cardholder limits are an important\ncontrol for ensuring that limits remain at appropriate levels to meet operational\nrequirements and allow organizations to better manage and control their P-Card risks.\n\nCardholders in the P-Card Program receive a Cardholder Appointment Memorandum\nthat, among other things, establishes the following three types of purchase limits:\n\n    \xe2\x80\xa2   Single Purchase Limit. The maximum amount a cardholder may charge for any\n        single purchase using the P-Card.\n\n    \xe2\x80\xa2   Convenience Check Limit. The maximum amount a cardholder may pay when\n        using a convenience check. A cardholder\xe2\x80\x99s convenience check limit may be less\n        than his or her single purchase limit. Convenience checks are issued to some, but\n        not all, cardholders.\n\n    \xe2\x80\xa2   Monthly Purchase Limit. The maximum cumulative amount a cardholder may\n        charge during any monthly billing cycle. The monthly purchase limit includes\n        purchases made with both the P-Card and convenience checks.\n\n\n\n7\n The four reports were Possible Split Purchases, Possible Split Transactions in a Single Day, Weekend or\nHoliday Transactions, and Monitor Possible Conference Transactions.\n\n                                                    7\n\x0cWe compared 44,404 P-Card and convenience check transactions processed between\nApril 1, 2011, and December 31, 2012, against established single and monthly purchase\nlimits and found no exceptions. However, we did note that 234 of the 571 P-Card\naccounts (or 41 percent) that were active as of December 31, 2012, had single purchase\nlimits that were more than 5 times the cardholders\xe2\x80\x99 maximum transaction amount during\nthe 21-month period that we reviewed. In addition, 491 of the 571 P-Card accounts (or\n86 percent) had monthly purchase limits that were more than 5 times the cardholders\xe2\x80\x99\nmaximum monthly purchase amount during the same period. This disparity can be\nattributed, in part, to elevated limits that were established during the recent financial\ncrisis. Internal reviews of P-Card usage for selected FDIC divisions have also identified\ncardholder limits that needed to be reduced. Further, the APC has taken some steps to\nreduce cardholder limits. The results of our analysis indicate that further review and\naction to adjust cardholder purchase limits is warranted.\n\nWe also compared all 2,616 convenience check transactions processed during the time\nperiod referenced above against established convenience check limits and found that 32\n(or about 1 percent) exceeded those limits. These 32 convenience checks were written by\n15 of the 192 cardholders (or about 8 percent) who were authorized to write convenience\nchecks during the same period. We spoke with 12 of the 15 cardholders regarding the\nexceptions we identified and determined that none were aware that they had exceeded\ntheir convenience check limit.8 Eight of the twelve cardholders mistakenly thought that\ntheir convenience check limit was the same as their single purchase limit for the P-Card.\nThe remaining four cardholders appropriately requested that the APC increase their limits\nbefore they wrote the checks, but for various reasons, the increases were not processed by\nthe APC. The APC was also unaware of the 32 limit exceptions that we identified\nbecause a mechanism to effectively monitor convenience checks for limit exceptions had\nnot been established. Absent monitoring and appropriate follow-up action with\ncardholders to address exceptions, there is an increased risk of fraud, misuse, and non-\ncompliance with FDIC policies, procedures, or guidelines.\n\nRatio of Approving Officials to Cardholders. The P-Card Guide states that AOs are\nresponsible for assuring that all cardholder statement charges are supported by a vendor\nreceipt or other evidence of FDIC receipt of goods or services and for verifying\ncardholder documentation to ensure purchases are justified. GSA\xe2\x80\x99s Blueprint for\nSuccess: A Guide for Purchase Card Oversight, states that the number of cardholders and\nthe volume of transactions for which an AO is responsible needs to be reasonable in order\nto allow AOs ample time to review transactions. Timely reviews of transactions are\nnecessary to ensure the detection of card misuse and fraud. Although there is no\ndefinitive AO to cardholder ratio, the GSA guide states that the most common ratios\nrange between 1:4 and 1:10.\n\nWe reviewed the span of control for 135 AOs and that found 13 (or 10 percent) had AO\nto cardholder ratios greater than 1:10. The ratios for these 13 officials ranged from 1:11\nto 1:52. We also interviewed a non-statistical sample of 9 AOs who had responsibility\n\n8\n  We were unable to speak with the remaining three cardholders because they were no longer employed by\nthe FDIC.\n\n                                                  8\n\x0cfor more than 10 cardholders and/or who had a high amount of transactions based on\ntransaction dollars and volume. Six of the 9 AOs that we spoke with stated that they did\nnot have time to look at the documentation underlying every transaction. In many cases,\nthe AOs either spot checked transaction documentation or relied on other staff to review\nand verify the documentation.\n\nAOs are responsible for ensuring that all purchases made by their cognizant cardholders\nare appropriate and that charges are accurate and supported. As such, AOs are the first\nline of defense against potential fraud and misuse and must have the requisite time to\nreview transaction details to ensure that purchases comply with FDIC policies,\nprocedures, and guidelines. The FDIC can achieve greater assurance that AOs have\nample time to effectively review transactions by establishing a policy or procedure for\nconducting periodic, program-level reviews of the ratios of AOs to cardholders and the\nvolume of transactions AOs are responsible for reviewing. The FDIC should also\ndetermine whether it is appropriate for AOs to delegate their responsibility to review and\nverify transaction documentation to other employees and/or to spot check documentation\nbased on some form of risk analysis. To the extent that such practices are determined to\nbe appropriate, the FDIC should clarify AO responsibilities and expectations.\n\nCancelling Cardholder Accounts for Separating Employees. The P-Card Guide\nstates that cardholders must notify their AO if they plan to leave the FDIC and that the\nAO must in turn notify the APC in writing of the cardholder\xe2\x80\x99s effective separation date\nprior to the departure. The APC must then cancel the cardholder\xe2\x80\x99s account and submit a\nwritten confirmation of the cancellation to the AO.\n\nWe reviewed the accounts of all cardholders who separated from the FDIC between\nMay 1, 2011, and December 31, 2012, to determine whether the accounts had been\ncancelled prior to the cardholder\xe2\x80\x99s departure. Of the 98 accounts that we reviewed, 22\nhad not been cancelled prior to the cardholder\xe2\x80\x99s separation from the FDIC. Thirteen of\nthe 22 accounts were cancelled more than 7 days after the employee\xe2\x80\x99s departure. In most\ninstances, the accounts were not cancelled prior to the cardholders\xe2\x80\x99 separation because\nthe AOs did not provide timely notification of the separations to the APC.\n\nImportantly, no new purchases were made under the 22 accounts following the\ncardholders\xe2\x80\x99 separations. Nevertheless, untimely cancellation of cardholder accounts for\nseparating employees presents an increased risk of unauthorized use of the accounts.\n\nSeparation of Duties. GSA\xe2\x80\x99s Blueprint for Success: A Guide for Purchase Card\nOversight, states that agency P-Card policies should address separation of duties to\nminimize the risk of fraud and/or loss of property. In particular, the responsibilities of\ncardholders, AOs, and APCs should not overlap to ensure that management controls are\nnot circumvented. The P-Card Guide defines separation of duties for key program\nparticipants. Among other things, the guide states that AOs must not be subordinate to\nany cardholder within their approval hierarchy.\nWe reviewed a non-statistical sample of 150 of the 44,404 P-Card transactions that were\nprocessed between April 1, 2011, and December 31, 2012, and found that eight involved\n\n                                             9\n\x0ca cardholder purchasing a non-monetary award on their own behalf. In each instance, an\nAO approved the transaction. However, for 7 of the 8 transactions, the description of the\ntransaction in NFE merely stated \xe2\x80\x9cnon-monetary award\xe2\x80\x9d without any indication of who\nactually received the award. Such a practice presents a risk that a cardholder could\ndeliberately enter generic non-monetary award descriptions in NFE for purchases they\nmake on their own behalf. The risk is further elevated by the fact that some AOs do not\nhave ample time to review underlying transaction documentation as described earlier.\nWe also found that one of the nine AOs that we interviewed was a subordinate to a\ncardholder. The P-Card Guide prohibits employees from serving as AOs when they are a\nsubordinate to a cardholder. We notified DOA of this situation and corrective action was\ntaken prior to the close of the audit.\n\nRole of the Division/Office Coordinator. The P-Card Guide identifies the D/OC as one\nof four roles associated with the success of the P-Card Program. According to the guide,\na D/OC must be appointed by each participating division or office to serve as a liaison\nwith ASB and to function at an organizational level for purposes of coordinating\nAPC requests to the division or office, and for internal control purposes. The\nresponsibilities of D/OCs include:\n\n   \xe2\x80\xa2   ensuring that ASB has a current list of cardholders and AOs and that the hierarchy\n       structure of the program is correct (e.g., that cardholders are subject to approval\n       by the correct AOs);\n\n   \xe2\x80\xa2   acting as the primary point of contact with ASB for disseminating information\n       about the program;\n\n   \xe2\x80\xa2   ensuring cardholders and AOs have verified and approved all transactions on a\n       monthly basis;\n\n   \xe2\x80\xa2   ensuring that cardholders and AOs have received appropriate training;\n\n   \xe2\x80\xa2   ensuring that all convenience check data is submitted monthly to the APC;\n\n   \xe2\x80\xa2   requesting the establishment and cancellation of cardholder accounts and revised\n       purchase limits, as appropriate; and\n\n   \xe2\x80\xa2   reporting suspected P-Card misuse to the APC immediately upon becoming aware\n       of possible misuse.\n\nThe APC informed us that, in practice, the involvement of the D/OCs in the P-Card\nProgram is informal and that D/OCs are generally only consulted on an as needed basis\nwhen DOA requires their assistance. In addition, the APC was not maintaining a current\nlisting of individuals serving as D/OCs and two offices\xe2\x80\x94the Office of Minority and\n\n                                           10\n\x0cWomen Inclusion and the Office of International Affairs\xe2\x80\x94did not have a designated\nD/OC. DOA should review the role of the D/OC in the P-Card Program to determine\nwhether it is functioning as intended and clarify the D/OC\xe2\x80\x99s responsibilities, if warranted.\n\nRecommendations\n\nWe recommend that the Director, DOA:\n\n   1. Make greater use of P-Card transaction data and reports to detect patterns, trends,\n      and anomalies that may be indicative of potential fraud or misuse.\n\n   2. Strengthen oversight of purchase limits by (a) performing periodic, program-level\n      reviews of cardholder purchase limits to ensure they remain appropriate,\n      (b) establishing processes to monitor convenience checks for potential limit\n      exceptions, and (c) reiterating to cardholders the difference between single\n      purchase limits for P-Cards and convenience checks.\n\n   3. Establish a policy or procedure for conducting periodic, program-level reviews of\n      the ratios of AOs to cardholders and the volume of transactions AOs are\n      responsible for reviewing to ensure they remain appropriate.\n\n   4. Review and clarify, as appropriate, AO responsibilities and expectations for\n      reviewing and verifying documentation supporting P-Card transactions.\n\n   5. Reinforce to cardholders and AOs their responsibility to provide timely\n      notification to the APC of pending cardholder separations.\n\n   6. Update P-Card policies and procedures to prohibit cardholders from using the\n      P-Card to purchase non-monetary awards on their own behalf.\n\n   7. Review and clarify, as appropriate, the role and responsibilities of the\n      Division/Office Coordinator.\n\n\n\nReview of Selected P-Card Transactions\n\nWe reviewed a non-statistical sample of 150 of the 44,404 P-Card transactions that were\nprocessed between April 1, 2011, and December 31, 2012, to determine whether they\ncomplied with FDIC policies, procedures, and guidelines. We found that all 150 of the\ntransactions had been approved by an AO. However, we did note some form of non-\ncompliance for 26 of the transactions. Most instances of noncompliance involved\ncardholders not retaining receipts to support purchases. The remaining instances\ninvolved the purchase of prohibited items, the payment of sales taxes, transaction\nsplitting to circumvent a purchase limit, and not coordinating with another division or\n\n                                            11\n\x0coffice before purchasing a good or service that required such coordination. These policy\nexceptions appear to have been caused by oversights or a lack of awareness of policy\nrequirements on the part of cardholders. We referred all 26 instances of noncompliance\nto the DOA Assistant Director, Policy and Systems Section, for appropriate action.\n\nNon-monetary Awards. Circular 2420.1, FDIC Rewards and Recognition Program,\nallows divisions and offices to use the P-Card to purchase non-monetary awards for\nemployees. The circular states that the type of items that may be awarded is left to the\ndiscretion and creativity of the individual approving the award. Our review of the 150\nP-Card transactions identified a wide range of items that were purchased as non-monetary\nawards using the Internet. These items were generally valued at $25 or less. Although\nthe non-monetary award items that we reviewed were permissible under FDIC policy,\nusing the P-Card to purchase awards that are of a personal nature presents a reputational\nrisk to the FDIC. We spoke with DOA management officials about this risk and were\ninformed that consideration is being given to modifying Circular 2420.1 to limit the types\nof items that would qualify as non-monetary awards. The FDIC should consider the risk\nassociated with using the P-Card to purchase non-monetary awards and clarify the\nCorporation\xe2\x80\x99s P-Card and non-monetary awards policies and guidance, as appropriate.\n\nRecommendation\n\nWe recommend that the Director, DOA:\n\n   8. Review and clarify, as appropriate, corporate policy and guidance related to the\n      types of items that may be purchased as non-monetary awards using the P-Card.\n\n\nCorporation Comments and OIG Evaluation\nThe Director, DOA, provided a written response, dated March 26, 2014, to a draft of this\nreport. The response is presented in its entirety in Appendix 4. In the response, the\nDirector concurred with all eight of the report\xe2\x80\x99s recommendations and described ongoing\nand planned corrective actions that address the recommendations. A summary of the\nCorporation\xe2\x80\x99s corrective actions is presented in Appendix 5. The planned corrective\nactions are responsive to the recommendations and the recommendations are resolved.\n\n\n\n\n                                           12\n\x0c                                                                             Appendix 1\n\n\n               Objective, Scope, and Methodology\nObjective\n\nThe audit objective was to determine the effectiveness of internal controls intended to\nminimize improper transactions executed under the P-Card program.\n\nWe conducted this performance audit from April 2013 through February 2014 in\naccordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective.\nWe believe that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objective. The conclusions and findings in this report are\nbased on information provided by the FDIC and certain analyses that we performed\nthrough February 2014. We caution that projecting the results of our audit to future\nperiods is subject to the risk that controls may become inadequate because of changes in\nconditions or because compliance with controls may deteriorate.\n\nScope and Methodology\n\nTo obtain a proper understanding of relevant government-wide requirements and best\npractices related to P-Card usage, we:\n\n   \xe2\x80\xa2   Reviewed and analyzed government-wide statutes, policies, procedures, guidance,\n       and reports including, but not limited to:\n\n            o The Government Charge Card Abuse Prevention Act of 2012\n            o OMB A-123, Appendix B\n            o The Council of the Inspectors General on Integrity and Efficiency\xe2\x80\x99s\n              Government Purchase Card Audit Framework, dated January 2012\n            o GAO\xe2\x80\x99s audit guide, entitled Auditing and Investigating the Internal\n              Control of Government Purchase Card Programs, dated November 2003\n            o GAO\xe2\x80\x99s report, entitled Governmentwide Purchase Cards: Actions Needed\n              to Strengthen Internal Controls to Reduce Fraudulent, Improper, and\n              Abusive Purchases, dated March 2008\n            o GSA\xe2\x80\x99s Blueprint for Success: A Guide for Purchase Card Oversight\n            o GSA\xe2\x80\x99s Managing GSA SmartPay Purchase Card Use: A Plan for Success\n\n   \xe2\x80\xa2   Contacted officials in GSA\xe2\x80\x99s SmartPay Program to obtain their perspectives on\n       P-Card program controls.\n\n   \xe2\x80\xa2   Interviewed selected OIG officials at other federal agencies to discuss their\n       approach for conducting P-Card audits.\n\n\n\n                                            13\n\x0c                                                                             Appendix 1\n\n\n               Objective, Scope, and Methodology\nTo obtain an understanding of the FDIC\xe2\x80\x99s internal controls intended to minimize\nimproper P-Card transactions, we:\n\n   \xe2\x80\xa2   Reviewed and analyzed P-Card Program policies, procedures, guidelines, and\n       reports, including:\n          o The P-Card Guide\n          o Procedures and guidance on DOA\xe2\x80\x99s internal Web site pertaining to such\n               things as NFE reconciliations and approvals, training, communications on\n               temporary limit increases and convenience check usage, and frequently\n               asked questions\n          o DRR Circular 3700, FDIC Purchase Card Program, dated June 20, 2008.\n          o DOA\xe2\x80\x99s report, entitled Overview of the FDIC Purchase Card Program\n               and Business Processes, dated February 2011\n          o Internal review reports issued by DOA and other divisions\n\n   \xe2\x80\xa2   Interviewed officials in DOA, including the APC, and other divisions and offices,\n       such as AOs and cardholders, who had responsibility for administering and\n       implementing the P-Card Program.\n\n   \xe2\x80\xa2   Interviewed the U.S. Bank representative to the FDIC to determine the types of\n       internal controls that U.S. Bank employs.\n\nTo determine the effectiveness of internal controls intended to minimize improper\ntransactions, we compared the FDIC\xe2\x80\x99s P-Card Program controls to 11 recognized best\npractices that we determined to be key in mitigating the risk of fraud and misuse in\ngovernment charge card programs. We also performed various analyses of program\ncontrols, such as computing the ratio of AOs to cardholders and the total transaction\nvolume that AOs are responsible for and compared that information to best practices;\ncomparing cardholder credit limits to cardholder transactions to determine cardholder\nutilization of available credit; comparing all convenience check transactions against\ncardholder convenience check limits for the population of transactions; and determining\nthe timeliness of account cancellations for cardholders who separated from the FDIC\nfrom May 1, 2011, through December 31, 2012.\n\nIn addition to program controls, we reviewed a non-statistical sample of transactions for\ncompliance with FDIC policies, procedures, and guidelines. Non-statistical samples are\njudgmental and cannot be projected to the population of transactions. A description of\nour sampling methodology follows.\n\nWe obtained a dataset of all P-Card and convenience check transactions from U.S. Bank\nfor the period April 1, 2011, through December 31, 2012. The dataset contained a total\nof 44,404 transactions, consisting of 41,788 P-Card transactions totaling $40.7 million\nand 2,616 convenience check transactions totaling $5.2 million. We selected 150\n\n                                            14\n\x0c                                                                             Appendix 1\n\n\n               Objective, Scope, and Methodology\ntransactions totaling $962,478 from the population by using 13 filters (or business rules)\nthat we developed based on our review of government-wide requirements, best practices,\nand reports. These business rules were designed to identify \xe2\x80\x9cat risk\xe2\x80\x9d transactions that had\nan elevated potential for non-compliance with FDIC policies, procedures, or guidelines.\nWe engaged the independent firm of Reed & Associates, CPAs, Inc., to assist us in\ndeveloping automated queries to filter the dataset using the 13 business rules to develop\nour sample of 150 transactions. For each transaction that we selected, we performed the\nfollowing steps:\n\n   \xe2\x80\xa2   Requested that the cognizant cardholder provide us with documentation\n       supporting the transaction and the rationale for procuring the goods or services.\n\n   \xe2\x80\xa2   Verified whether each transaction had been approved by an AO in NFE.\n\n   \xe2\x80\xa2   Determined whether the business reason provided for the transaction was\n       consistent with information contained in NFE.\n\nWe performed our work at the FDIC\xe2\x80\x99s Virginia Square Offices in Arlington, Virginia.\n\nInternal Control, Reliance on Computer-processed Information,\nPerformance Measurement, and Compliance with Laws and Regulations\n\nAs described in the Scope and Methodology section of this Appendix, we performed\naudit procedures to identify and obtain an understanding of the FDIC\xe2\x80\x99s internal controls\nfor minimizing improper transactions executed under the P-Card program. We also\ncompared the FDIC\xe2\x80\x99s P-Card Program controls to recognized best practices and reviewed\nselected transactions for compliance with the FDIC\xe2\x80\x99s P-Card policies, procedures, and\nguidelines. Consistent with our audit objective, we did not assess the adequacy of the\nFDIC\xe2\x80\x99s overall internal control or management control environment. Our report\nidentifies certain internal control weaknesses warranting management\xe2\x80\x99s attention.\n\nWe relied on data provided by U.S. Bank to select a sample of transactions for detailed\nanalysis. We determined that the data provided was sufficiently reliable for purposes of\nselecting a sample by performing various procedures, such as reconciling P-Card\ntransaction data from U.S. Bank to NFE; discussing the data with a U.S. Bank\nrepresentative and DOA officials; and comparing the data to figures in published reports,\nsuch as Annual Review Reports issued by U.S. Bank and an internal FDIC report on\nP-Cards, and information generated by NFE. We did not perform an assessment of data\nreliability controls in U.S. Bank\xe2\x80\x99s systems or NFE. However, we did review the accuracy\nand completeness of selected data in U.S. Bank\xe2\x80\x99s system and NFE for the 150\ntransactions we selected by comparing information in the systems to supporting\ndocumentation (when it was available).\n\n\n                                            15\n\x0c                                                                               Appendix 1\n\n\n               Objective, Scope, and Methodology\nThe Government Performance and Results Act of 1993 (the Results Act), as amended,\ndirects executive branch agencies to develop a customer-focused strategic plan, align\nagency programs and activities with concrete missions and goals, and prepare and report\non annual performance plans. For this audit, we did not assess the strengths and\nweaknesses of FDIC\xe2\x80\x99s annual performance plan in meeting the requirements of the\nResults Act because such an assessment was not part of the audit objective.\n\nWe did not perform tests of compliance with the Government Charge Card Abuse\nPrevention Act of 2012 because the FDIC is not subject to the statute. However, we did\nconsider the provisions of the statute in selecting the 11 recognized best practices that\nwere used as the principal criteria for our assessment of P-Card program controls. We\nassessed the risk of fraud and abuse related to our objective when selecting audit criteria,\ndesigning audit procedures, and evaluating audit evidence.\n\n\n\n\n                                             16\n\x0c                                                                               Appendix 2\n\n\n                          Glossary of Terms\n     Term                                         Definition\nCardholder       A memorandum issued by the DOA Assistant Director, Policy and\nAppointment      Systems Section, or the APC that delegates to the cardholder the authority\nMemorandum       to make authorized purchases for the FDIC using the P-Card (and in some\n                 cases, convenience checks). The memorandum specifies purchase limits\n                 and any restrictions on the use of the P-Card or convenience checks.\nConvenience      A paper check associated with a cardholder account.\nCheck\nData Mining      An automated process used to analyze data to detect patterns, trends,\n                 and/or anomalies for use in risk management and other areas of analysis.\nFraud            Any act of corruption or attempt to cheat the government or corrupt the\n                 government\xe2\x80\x99s agents, including but not limited to, the use of government\n                 charge cards to transact business that is not sanctioned, not authorized, not\n                 in one\xe2\x80\x99s official government capacity, not for the purpose for which the\n                 card was issued, or not as part of official government business.\nMerchant         A four-digit code used to identify the type of business a merchant conducts\nCategory Code    (e.g., gas stations, restaurants, airlines). Merchants select a code based on\n(MCC)            their primary business. Organizations may prohibit purchases from\n                 merchants with certain Merchant Category Codes as a means of reducing\n                 the risk of improper transactions.\nMisuse           In the case of government P-Cards, intentional use of a P-Card for other\n                 than official government transactions. Depending on the circumstances,\n                 misuse may involve fraud.\nP-Card           An account established by a commercial financial institution on behalf of\n                 agencies or individual agency employees to which the cost of purchasing\n                 goods and services may be charged.\nPurchase Limit   The maximum amount that a cardholder may charge to a P-Card account in\n                 a single purchase (i.e., transaction) or in a single monthly billing cycle.\n                 The term also refers to the maximum amount a cardholder may pay when\n                 using a convenience check. The FDIC\xe2\x80\x99s purchase limits are defined in\n                 Cardholder Appointment Memoranda.\nSmartPay 2       A government-wide purchase card program administered by GSA. Under\n                 the program, agencies and organizations issue task orders against master\n                 contracts that GSA has with Citibank, JPMorgan Chase, and U.S.\n                 Bank. These banks provide charge cards to the agency or organization\n                 employees to make purchases on behalf of the agency or organization.\n                 Agencies can obtain different types of charge card products and services\n                 under the SmartPay 2 Program, including purchase, travel, fleet, and\n                 integrated cards.\nTransaction      The swipe of a credit card through a point of sale terminal, completion of\n                 an online transaction, or use of a convenience check. A transaction may\n                 involve the purchase of one or more items.\n\n\n\n\n                                          17\n\x0c                                                              Appendix 3\n\n\n                Acronyms and Abbreviations\n\nAcronym/Abbreviation   Explanation\nAO                     Approving Official\nAPC                    Agency Program Coordinator\nAPM                    Acquisition Policy Manual\nASB                    Acquisition Services Branch\nDOA                    Division of Administration\nD/OC                   Division/Office Coordinator\nDRR                    Division of Resolutions and Receiverships\nFDIC                   Federal Deposit Insurance Corporation\nGAO                    Government Accountability Office\nGSA                    General Services Administration\nNFE                    New Financial Environment\nOIG                    Office of Inspector General\nOMB                    Office of Management and Budget\nPAB                    Procurement Administrative Bulletin\nP-Card                 Purchase Card\nPGI                    Procedures, Guidance, and Information Document\nU.S. Bank              U.S. Bank National Association\n\n\n\n\n                                18\n\x0c                                                                                                 Appendix 4\n\n                           Corporation Comments\n\n\nFederal Deposit Insurance Corporation\n3501 Fairfax Drive, Arlington, VA 22226                                                    Division of Administration\n\n DATE:                            March 26, 2014\n\n MEMRANDUM TO:                    Stephen M. Beard\n                                  Deputy Inspector General for Audits and Evaluations\n\nFROM:                             Arleas Upton Kea, Director /Signed/\n                                  Division of Administration\n\n SUBJECT:                         Management Response to the Office of the Inspector General Draft\n                                  Audit Report Entitled, The FDIC\xe2\x80\x99s Purchase Card Program\n                                  (Assignment No. 2013-020)\n\n The Division of Administration (DOA) has completed its review of the subject Office of\n Inspector General (OIG) Draft Audit Report dated February 26, 2014. We appreciate the review\n performed by the OIG and are pleased to see that the DOA has established a number of internal\n controls to minimize the risk of improper transactions and that these controls were generally\n consistent with recognized best practices.\n\n Although the OIG found that the FDIC purchase card (P-Card) program was consistent with\n recognized best practices, the OIG did identify opportunities for FDIC to improve the P-Card\n program controls; and made eight recommendations to the DOA. We have reviewed each\n recommendation and have provided our management response along with the planned corrective\n actions that DOA will take for each recommendation.\n\n MANAGEMENT DECISION\n\n Recommendation 1: Make greater use of P-Card transaction data and reports to detect\n patterns, trends and anomalies that may be indicative of potential fraud or misuse.\n\n DOA Management Response: DOA concurs with this recommendation.\n\n In 2012, U.S. Bank created a \xe2\x80\x9cPayment Analytics\xe2\x80\x9d reporting tool that consisted of various types\n of payment alerts that could be made available to the FDIC in its management of the P-card\n program. The Agency Program Coordinator (APC), located in the DOA Acquisition Services\n Branch (ASB), who provides the day-to-day administrative oversight of the program, did\n evaluate the payment analytics reports offered by U.S. Bank. As a result, the APC selected four\n reports from the payment analytics tool that would be helpful in managing the P-Card program.\n The four reports include: Possible Split Purchase; Possible Split Transactions in a Single Day;\n Weekend or Holiday Transactions; and Possible Conferences Transactions. The APC believed\n  the selection of the four payment analytics reports combined with the other U.S. Bank online\n reports - program management, financial management, supplier management and administration\n reports - provided the necessary control activities to administer the program effectively.\n\n\n\n\n                                                       19\n\x0c                       Appendix 4\n\n\nCorporation Comments\n\n\n\n\n         20\n\x0c                       Appendix 4\n\n\nCorporation Comments\n\n\n\n\n         21\n\x0c                       Appendix 4\n\n\nCorporation Comments\n\n\n\n\n         22\n\x0c                       Appendix 4\n\n\nCorporation Comments\n\n\n\n\n         23\n\x0c                       Appendix 4\n\n\nCorporation Comments\n\n\n\n\n         24\n\x0c                       Appendix 4\n\n\nCorporation Comments\n\n\n\n\n         25\n\x0c                                                                              Appendix 5\n\n\n     Summary of the Corporation\xe2\x80\x99s Corrective Actions\nThis table presents corrective actions taken or planned by the Corporation in response to\nthe recommendations in the report and the status of the recommendations as of the date of\nreport issuance.\n\n                                                                              a\nRec.                                           Expected    Monetary   Resolved:   Open or\n                                                                                        b\nNo.      Corrective Action: Taken or          Completion   Benefits   Yes or No   Closed\n                   Planned                       Date\n 1     DOA will re-evaluate payment            5/31/14       N/A        Yes        Open\n       analytics reports offered by U.S.\n       Bank to determine how this\n       information and other reporting\n       alerts can be leveraged to enhance\n       the overall management and\n       oversight of the P-Card Program.\n       As part of this effort, DOA will\n       consider the use of payment\n       analytics information in identifying\n       patterns, trends, and anomalies that\n       may be indicative of potential\n       fraud or misuse.\n\n       In addition, DOA\xe2\x80\x99s Internal\n       Review Section will incorporate\n       periodic program-level reviews\n       that utilize Level III transaction\n       data in P-Card Program testing.\n 2     With respect to cardholder              6/30/14       N/A        Yes        Open\n       purchase limits, DOA\xe2\x80\x99s Internal\n       Review Section will incorporate\n       periodic reviews of all authorized\n       P-Cardholders into its annual\n       review plan. These reviews, the\n       first of which will be completed by\n       June 30, 2014, will evaluate\n       cardholder purchase limits based\n       on usage and recommend\n       cancellation of unused P-Cards and\n       limit adjustments, as appropriate.\n\n       With respect to the monitoring of\n       convenience checks, DOA will\n       develop a monthly email\n       notification process to address\n       cardholders (and their requisite\n       AOs) who exceed their authorized\n       check limits. In addition, DOA\n       will work with U.S. Bank to\n\n                                                26\n\x0c                                                                    Appendix 5\n\n\n    Summary of the Corporation\xe2\x80\x99s Corrective Actions\n     determine whether a real-time\n     means of flagging convenience\n     check limit exceptions can be\n     developed. Such efforts will be\n     completed by May 31, 2014.\n\n     With respect to awareness of the\n     difference between single purchase\n     limits for P-Cards and convenience\n     checks, DOA will issue periodic\n     emails starting April 30, 2014, to\n     all P-Cardholders that reiterate the\n     difference between these types of\n     limits.\n3    DOA will conduct periodic               9/30/14    N/A   Yes       Open\n     reviews of the ratio of AOs to P-\n     Cardholders to ensure the ratios are\n     generally in line with recognized\n     best practices.\n4    DOA will issue an email to all          4/30/14    N/A   Yes       Open\n     AOs that reiterates the\n     responsibilities and expectations\n     for reviewing and verifying\n     documentation supporting P-Card\n     transactions.\n5    DOA will issue an email to all P-       4/30/14    N/A   Yes       Open\n     Cardholders and AOs reiterating\n     the importance of providing timely\n     notification to the P-Card program\n     office of pending cardholder\n     separations. DOA will also\n     explore the possibility of entering a\n     cancellation date into U.S. Bank\xe2\x80\x99s\n     system once the P-Card program\n     office is notified of a cardholder\n     separation. Such a process could\n     be used to automatically cancel the\n     P-Card on the employee\xe2\x80\x99s effective\n     separation date.\n6    DOA will issue a Procurement            5/30/14    N/A   Yes       Open\n     Administrative Bulletin (PAB) that\n     updates the P-Card Guide to\n     prohibit cardholders from\n     purchasing non-monetary awards\n     on their own behalf.\n7    DOA will review the roles and           12/31/14   N/A   Yes       Open\n     responsibilities of the D/OC and\n\n                                              27\n\x0c                                                                                              Appendix 5\n\n\n        Summary of the Corporation\xe2\x80\x99s Corrective Actions\n          determine whether changes to the\n          P-Card Guide are needed by May\n          30, 2014. Such changes may\n          require that DOA coordinate with\n          the FDIC\xe2\x80\x99s Corporate University\n          to adjust the P-Card Online\n          Training Course. If changes to the\n          training course are required, DOA\n          will issue a PAB describing the\n          changes by December 31, 2014. If\n          changes to the training course are\n          not required, DOA will issue a\n          PAB describing the changes by\n          June 30, 2014.\n    8     DOA will modify Circular 2420.1,           12/31/14         N/A             Yes            Open\n          FDIC Rewards and Recognition\n          Program, to limit non-monetary\n          award purchases to those items in\n          the FDIC Online Store. The\n          Circular will also be clarified to\n          prohibit cardholders from\n          purchasing non-monetary awards\n          from the FDIC online store on their\n          own behalf. The draft circular will\n          be subject to (a) review and\n          negotiation with the National\n          Treasury Employees Union and\n          (b) the FDIC\xe2\x80\x99s standard directive\n          review process.\n\n          In addition, DOA\xe2\x80\x99s Internal\n          Review Section will periodically\n          sample P-Card transactions\n          involving non-monetary awards to\n          assess compliance with policies\n          and procedures and recommend\n          corrective action when necessary.\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\n                   corrective action is consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but alternative action meets the intent\n                   of the recommendation.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount.\n                   Monetary benefits are considered resolved as long as management provides an amount.\nb\n  Recommendations will be closed when (a) Corporate Management Control notifies the OIG that corrective\nactions are complete or (b) in the case of recommendations that the OIG determines to be particularly\nsignificant, when the OIG confirms that corrective actions have been completed and are responsive.\n\n\n\n                                                       28\n\x0c'